jekyll-theme-zer0 1.13.1 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8ad83858a690a41ecdcffeb9d1666bdb477c74f5dc0e203bc0059a56e7ed68a2
-  data.tar.gz: 88b906b270107cc25861394ff63b9772b9b1758c39315a2758bbe45f42ec00cc
+  metadata.gz: 6bd5748efd683917f588e3f0e130536a6ba00727f0d2027445261b1258d2b22d
+  data.tar.gz: dcd71edd2118b837980feccce2474ab6936d7838756d4ed3a9aa4a80ef76ff75
 SHA512:
-  metadata.gz: a24b1b809afaff0913078bbdbf5ba74799c757d330203ef54f0bccc21e8d4fe82920430ce3d981a540bcea0ac89f8e31b1284eb92db60d0f89c3986b16891126
-  data.tar.gz: 01dd7a1a0ae1ab4f82936db64ecd509280c76714e80ae55be46c0f67dbca6c59efd5f7590960d11f46237380b6b680873f816e6bb72845d7726c24137b57e4c6
+  metadata.gz: 28d42c8f1d75356b055eeeb493d8daf466ef1e8d23eb8aade96f4c77de0f1b1b7d307f821b5ef65716d2379920bd68f9d4862d0ad0fc214b82f9398349041617
+  data.tar.gz: 5c2d7da877cdcaa317ef6e90e6c60e5f28098dd1742101c793140801a45d8aa029f8d97960d830bdd4ef00c22f4241f4c2fd9c2e2659c218d2ae69369fd80f9a

data/CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.15.0] - 2026-06-12
+
+### Changed
+- Version bump: minor release
+
+### Commits in this release
+- 85d0295a feat(quality): implement six backlog tasks — T-003/004/008/014/015/016 (#144)
+- 71b8fe46 fix(gemspec): require Ruby >= 3.2 to match modern dependency floor (#93)
+
+### Added
+- **Contribution templates (T-003)**: bug-report and feature-request issue forms, contact links, and a PR template with the conventional-commit/CHANGELOG/test checklist
+- **Locale-independence guard (T-015)**: lib test suite runs the roadmap/backlog/preflight validators under `LC_ALL=C LANG=C` so the UTF-8 crash class fixed in 1.12.1 cannot return
+
+### Fixed
+- **Theme customizer (T-008)**: YAML export now quotes hex color values in both builders — unquoted `#RRGGBB` parsed as a YAML comment and silently dropped colors; frozen regression test promoted to live
+- **Docs lint baseline (T-004/T-014)**: ~1,600 markdownlint violations fixed or config-tuned to zero (MD060 disabled as post-config stylistic noise, MD025 front-matter handling, MD024 siblings-only); a stray code fence that swallowed the troubleshooting "Advanced Topics" section into a code block repaired; table pipes escaped; 15 dead README links remapped to the reorganized `docs/` tree
+- **site_generation suite (T-016)**: `jekyll build` failures now fail the suite instead of degrading to warnings (missing-bundler skip retained)
+
+### Changed
+- **Docs lint gate (T-014)**: both `|| true` suppressions removed from `docs-validate.yml` — markdownlint now blocks on a zero-violation baseline
+
+## [1.14.0] - 2026-06-11
+
+### Changed
+- Version bump: minor release
+
+### Commits in this release
+- 5de341aa feat(security): sanitize sensitive config lines in admin config-page DOM (T-009) (#140)
+- 42468785 chore(deps): update Ruby gem dependencies (#129)
+- 89e21988 Improve LinkedIn share flow with cleaned article summary (#99)
+
+### Security
+- **Admin config page (T-009 hardening)**: added a pure-Liquid line-redaction layer for the hidden `<pre id="cfg-full-yaml">` element — the `sanitize_config_yaml` plugin filter shipped in 1.13.1 does not run on GitHub Pages builds (safe mode ignores custom plugins, and the unknown filter is a silent no-op), so Pages-built sites were still injecting raw config; the Liquid layer protects every build path, with the plugin filter kept as defense-in-depth
+
+### Fixed
+- **Workflow lint (T-017)**: `version-bump.yml` now passes the repo yamllint config (trailing spaces, bracket spacing, sequence indentation) — these pre-existing violations failed the `auto-version` integration suite on every code PR once the T-012 gate went live; YAML verified semantically identical before/after
+- **Changelog tooling**: `update_changelog_file` normalizes trailing newlines on the entry, guaranteeing exactly one blank line before the next release block even when callers pass entries via command substitution (review feedback on the T-012 PR)
+
 ## [1.13.1] - 2026-06-11
 
 ### Changed

data/README.md

@@ -2,7 +2,7 @@
 title: zer0-mistakes
 sub-title: AI-Native Jekyll Theme
 description: AI-native Jekyll theme for GitHub Pages — Docker-first development, AI-powered installation, multi-agent integration (Copilot, Codex, Cursor, Claude), AI preview-image generation, and AIEO content optimization with Bootstrap 5.3.
-version: 1.13.1
+version: 1.15.0
 layout: landing
 tags:
   - jekyll
@@ -20,7 +20,7 @@ categories:
   - bootstrap
   - ai-tooling
 created: 2024-02-10T23:51:11.480Z
-lastmod: 2026-06-11T21:37:24.000Z
+lastmod: 2026-06-12T01:01:59.000Z
 draft: false
 permalink: /
 slug: zer0
@@ -571,7 +571,7 @@ cd <your-username>.github.io
 docker-compose up
 ```
 
-See [docs/FORKING.md](docs/FORKING.md) for the full progressive workflow.
+See [docs/FORKING.md](docs/installation/forking.md) for the full progressive workflow.
 
 ---
 
@@ -703,7 +703,7 @@ zer0-mistakes documentation is split across three audiences. Pick the layer that
 | [📊 Analytics](https://zer0-mistakes.com/docs/analytics/) | PostHog, Google Analytics setup |
 | [🔍 SEO](https://zer0-mistakes.com/docs/seo/) | Meta tags, sitemap, structured data |
 | [📓 Jupyter Notebooks](https://github.com/bamr87/zer0-mistakes/blob/main/docs/JUPYTER_NOTEBOOKS.md) | Notebook conversion documentation |
-| [📝 PRD](docs/PRD.md) | Product requirements & roadmap |
+| [📝 PRD](docs/architecture/prd-requirements.md) | Product requirements & roadmap |
 | [🔒 Privacy Policy](https://zer0-mistakes.com/privacy-policy/) | GDPR/CCPA compliant privacy docs |
 
 ### Contributor Technical Reference
@@ -712,18 +712,18 @@ These files live in the repo under `docs/` and are intended for theme contributo
 
 | File | Topic |
 |------|-------|
-| [docs/design-system.md](docs/design-system.md) | Design system overview |
-| [docs/design-tokens.md](docs/design-tokens.md) | Design tokens reference |
-| [docs/components.md](docs/components.md) | UI component catalogue |
-| [docs/layouts-and-navigation.md](docs/layouts-and-navigation.md) | Layout hierarchy & navigation |
-| [docs/theming.md](docs/theming.md) | Sass / Bootstrap theming guide |
-| [docs/customization.md](docs/customization.md) | Site customization patterns |
-| [docs/configuration.md](docs/configuration.md) | `_config.yml` reference |
-| [docs/code-blocks.md](docs/code-blocks.md) | Syntax highlighting setup |
-| [docs/extending.md](docs/extending.md) | Adding layouts, includes & plugins |
-| [docs/js-api.md](docs/js-api.md) | JavaScript module API |
-| [docs/TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) | Common issues & fixes |
-| [docs/FORKING.md](docs/FORKING.md) | Forking & personalization guide |
+| [docs/design-system.md](docs/ui/design-system.md) | Design system overview |
+| [docs/design-tokens.md](docs/ui/design-tokens.md) | Design tokens reference |
+| [docs/components.md](docs/ui/components.md) | UI component catalogue |
+| [docs/layouts-and-navigation.md](docs/ui/layouts-and-navigation.md) | Layout hierarchy & navigation |
+| [docs/theming.md](docs/ui/theming.md) | Sass / Bootstrap theming guide |
+| [docs/customization.md](docs/ui/customization.md) | Site customization patterns |
+| [docs/configuration.md](docs/ui/configuration.md) | `_config.yml` reference |
+| [docs/code-blocks.md](docs/ui/code-blocks.md) | Syntax highlighting setup |
+| [docs/extending.md](docs/ui/extending.md) | Adding layouts, includes & plugins |
+| [docs/js-api.md](docs/ui/js-api.md) | JavaScript module API |
+| [docs/TROUBLESHOOTING.md](docs/development/troubleshooting.md) | Common issues & fixes |
+| [docs/FORKING.md](docs/installation/forking.md) | Forking & personalization guide |
 
 ---
 
@@ -803,7 +803,7 @@ When you fork the theme as a starter, the workflows come with you. To make them
 
 ## 🗺 Roadmap
 
-The diagram and table below are auto-generated from [`_data/roadmap.yml`](_data/roadmap.yml) by [`scripts/generate-roadmap.sh`](scripts/generate-roadmap.sh). See the full [Roadmap page](https://zer0-mistakes.com/roadmap/) for per-version detail and the [PRD](docs/PRD.md) for product context.
+The diagram and table below are auto-generated from [`_data/roadmap.yml`](_data/roadmap.yml) by [`scripts/generate-roadmap.sh`](scripts/generate-roadmap.sh). See the full [Roadmap page](https://zer0-mistakes.com/roadmap/) for per-version detail and the [PRD](docs/architecture/prd-requirements.md) for product context.
 
 <!-- ROADMAP_MERMAID:START -->
 
@@ -830,10 +830,11 @@ gantt
     v1.9 Installer v2 & Site Scraper :done, 2026-05, 2026-05
     v1.10 Roadmap Validation     :done, 2026-06, 2026-06
     v1.11 Continuous-Evolution Loop :done, 2026-06, 2026-06
+    v1.12 Headless Endpoints     :done, 2026-06, 2026-06
+    v1.13 Quality Framework — First Wave :done, 2026-06, 2026-06
     section Current
-    v1.12 Headless Endpoints     :active, 2026-06, 2026-06
+    v1.14 Zer0-Mistake Quality Framework :active, 2026-06, 2026-08
     section Future
-    v1.13 Zer0-Mistake Quality Framework :2026-06, 2026-08
     v2.0 CMS Integration         :2026-06, 2026-08
     v2.1 i18n Support            :2026-08, 2026-10
     v2.2 Advanced Analytics      :2026-10, 2026-12
@@ -864,8 +865,9 @@ gantt
 | **v1.9** | ✅ Completed | May 2026 | Modular installer v2 with deploy plugins, AI wizard pipeline, and a site scraper. |
 | **v1.10** | ✅ Completed | Jun 2026 | Roadmap integrity validation and catch-up milestones so the roadmap tracks the shipped gem. |
 | **v1.11** | ✅ Completed | Jun 2026 | Self-sustaining backlog loop so AI agents keep improving the repo between human sessions. |
-| **v1.12** | 🚧 In Progress | Current (1.12.x) | Machine-readable site endpoints for downstream sites and AI agents. |
-| **v1.13** | 🗓 Planned | Q3 2026 | Close the gap between the repo's quality gates and what CI actually enforces — no mistake lands green. |
+| **v1.12** | ✅ Completed | Jun 2026 | Machine-readable site endpoints for downstream sites and AI agents. |
+| **v1.13** | ✅ Completed | Jun 2026 | First shipped wave of the Zer0-Mistake Quality Framework: CI gate parity and DOM sanitization. |
+| **v1.14** | 🚧 In Progress | Current (1.14.x) | Close the gap between the repo's quality gates and what CI actually enforces — no mistake lands green. |
 | **v2.0** | 🗓 Planned | Q3 2026 | Headless CMS integration with a content API and admin dashboard. |
 | **v2.1** | 🗓 Planned | Q4 2026 | Multi-language content support with locale-aware routing. |
 | **v2.2** | 🗓 Planned | Q4 2026 | Visual theme customizer, A/B testing, and conversion funnels. |
@@ -909,7 +911,7 @@ git push origin feature/awesome-feature
 
 | Metric | Value |
 |--------|-------|
-| **Current Version** | 1.13.1 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
+| **Current Version** | 1.15.0 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
 | **Documented Features** | 43 ([Feature Registry](https://github.com/bamr87/zer0-mistakes/blob/main/_data/features.yml)) |
 | **Setup Time** | 2-5 minutes ([install.sh benchmarks](https://github.com/bamr87/zer0-mistakes/blob/main/install.sh)) |
 | **Documentation Pages** | 70+ ([browse docs](https://zer0-mistakes.com/pages/)) |
@@ -964,6 +966,6 @@ And these AI partners that make zer0-mistakes truly AI-native:
 
 **Built with ❤️ — and a little help from our AI partners — for the Jekyll community**
 
-**v1.13.1** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)
+**v1.15.0** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)
 
 

data/_data/backlog.yml

@@ -55,8 +55,8 @@
 
 meta:
   title: "zer0-mistakes Backlog"
-  updated: 2026-06-11
-  next_id: 18
+  updated: 2026-06-12
+  next_id: 19
 
 tasks:
   # --- Housekeeping (seeded so the loop has work on day one) ------------------
@@ -106,7 +106,7 @@ tasks:
 
   - id: T-003
     title: "Add GitHub issue templates and a pull-request template"
-    status: open
+    status: done
     priority: P2
     area: infra
     risk: standard
@@ -116,17 +116,21 @@ tasks:
       The repo has no `.github/ISSUE_TEMPLATE/` or PR template. Add a bug-report
       and feature-request issue form plus a PR template that nudges contributors
       toward conventional commits, CHANGELOG updates, and the test checklist.
+      Done 2026-06-12: bug-report and feature-request issue forms, config.yml
+      with contact links (blank issues stay enabled for the API-driven backlog
+      sync), and a PR template with the conventional-commit/CHANGELOG/test
+      checklist.
     acceptance:
       - "`.github/ISSUE_TEMPLATE/bug_report.yml` and `feature_request.yml` exist and render."
       - "`.github/pull_request_template.md` exists with a conventional-commit + CHANGELOG + tests checklist."
       - "Agent-filed backlog issues remain compatible with the new templates (no broken automation)."
     links: { issue: null, pr: null, roadmap: null }
     created: 2026-05-31
-    updated: 2026-05-31
+    updated: 2026-06-12
 
   - id: T-004
     title: "Docs-freshness sweep: reconcile docs/ ↔ pages/_docs/ and fix broken links"
-    status: open
+    status: done
     priority: P2
     area: docs
     risk: low
@@ -136,13 +140,18 @@ tasks:
       Run the markdown-link checker and audit the two-tier docs for drift,
       stale dates/versions, and any user/technical pages that fell out of sync
       after the recent alignment commit.
+      Done 2026-06-12: markdownlint baseline cleaned to zero violations
+      (~1,600 fixed: auto-fix pass, MD060/MD025/MD024 config tuning, fence
+      languages, table pipe escapes, a stray fence swallowing a docs section),
+      15 dead README links remapped to the reorganized docs/ tree,
+      check-links.sh reports 0 broken links.
     acceptance:
       - "`markdown-link-check` (config in `.github/config/`) reports no broken internal links."
       - "Any stale version/date references in `docs/` and `pages/_docs/` are corrected."
       - "Cross-links between the user tier and technical tier resolve both ways."
     links: { issue: null, pr: null, roadmap: null }
     created: 2026-05-31
-    updated: 2026-05-31
+    updated: 2026-06-12
 
   - id: T-005
     title: "Coverage baseline: identify the lowest-covered subsystems toward the 90% goal"
@@ -192,7 +201,7 @@ tasks:
 
   - id: T-008
     title: "Fix theme-customizer YAML export to quote hex color values"
-    status: open
+    status: done
     priority: P2
     area: feat
     risk: standard
@@ -203,13 +212,17 @@ tasks:
       YAML without quoting strings that start with `#`. Unquoted `#RRGGBB` is treated as a
       YAML comment by parsers, silently dropping colour values. A regression guard in
       `test/visual/theme-colors.spec.js` is frozen as `test.fixme` until the bug is fixed.
+      Done 2026-06-12: both YAML builders (theme-customizer.js fallback and
+      palette-generator.js commented overrides) quote color values; frozen
+      regression test promoted to live test(); export verified parseable by
+      Ruby YAML with colors preserved.
     acceptance:
       - "JS export wraps every hex colour value (matching `/#[0-9a-fA-F]{3,8}/`) in double quotes in the generated YAML."
       - "The `test.fixme` in `test/visual/theme-colors.spec.js` is promoted to a live `test()` and passes in CI."
       - "Exported YAML is valid when parsed by `yaml.safe_load` in Ruby."
     links: { issue: null, pr: null, roadmap: null }
     created: 2026-06-01
-    updated: 2026-06-01
+    updated: 2026-06-12
 
   - id: T-009
     title: "Sanitize sensitive config keys from admin config-page DOM injection"
@@ -225,6 +238,9 @@ tasks:
       (`api_key`, `token`, PostHog `phc_*` keys, etc.) they are exposed in the page
       DOM. A regression test in `test/visual/security.spec.js` is frozen as
       `test.fixme` until a sanitisation pass is in place.
+      Done 2026-06-11: pure-Liquid line filter redacts matching lines before
+      DOM injection (GitHub Pages safe — no custom plugin); regression test
+      promoted to a live `test()`; visible Raw-YAML tab untouched.
     acceptance:
       - "The Liquid/Ruby that populates `<pre id=\"cfg-full-yaml\">` strips or masks keys matching `api_key`, `secret`, `password`, `token`, and `phc_` prefix before DOM injection."
       - "The `test.fixme` in `test/visual/security.spec.js` is promoted to a live `test()` and passes in CI."
@@ -339,7 +355,7 @@ tasks:
 
   - id: T-014
     title: "Re-arm the docs link-check gate (remove warn-only || true)"
-    status: open
+    status: done
     priority: P2
     area: lint
     risk: standard
@@ -349,17 +365,20 @@ tasks:
       `docs-validate.yml` runs markdown-link-check with `|| true` ("warn-only
       until baseline is clean"), so broken links accumulate. Fix the links it
       currently reports, then drop the `|| true` so the gate blocks.
+      Done 2026-06-12: baseline cleaned to zero violations and both
+      warn-only suppressions removed from docs-validate.yml — the lint gate
+      now blocks. (The internal link check was already blocking.)
     acceptance:
       - "All links reported by the current `docs-validate.yml` run are fixed or allowlisted in `.github/config/.markdown-link-check.json`."
       - "Both `|| true` suppressions removed from `docs-validate.yml`."
       - "`docs-validate.yml` passes blocking on a follow-up PR."
     links: { issue: null, pr: null, roadmap: "1.13" }
     created: 2026-06-10
-    updated: 2026-06-10
+    updated: 2026-06-12
 
   - id: T-015
     title: "Locale-independence regression guard for Ruby/Bash tooling"
-    status: open
+    status: done
     priority: P2
     area: infra
     risk: standard
@@ -371,17 +390,21 @@ tasks:
       only reproduced without a UTF-8 locale. Add a guard so the bug class
       cannot return: run the validators under `LC_ALL=C` in a lib test or a
       dedicated CI step.
+      Done 2026-06-12: scripts/test/lib/test_locale_independence.sh runs
+      generate-roadmap --check/--validate, sync-backlog --check, and
+      validate --quick under LC_ALL=C LANG=C; verified the guard fails when
+      the explicit-UTF-8 read is reverted.
     acceptance:
       - "A test (scripts/test/lib/) or CI step runs `generate-roadmap.rb --check`, `sync-backlog.rb --check`, and `validate --quick` with `LC_ALL=C LANG=C`."
       - "The guard fails when the explicit-UTF-8 reads are reverted (verified once locally)."
       - "`./scripts/bin/test` stays green."
     links: { issue: null, pr: null, roadmap: "1.13" }
     created: 2026-06-10
-    updated: 2026-06-10
+    updated: 2026-06-12
 
   - id: T-016
     title: "site_generation suite: fail on Jekyll build errors instead of warning"
-    status: open
+    status: done
     priority: P2
     area: tests
     risk: standard
@@ -395,17 +418,20 @@ tasks:
       the suite now gating PRs in CI (working bundler guaranteed), build
       failures should fail the suite; keep the skip only for genuinely
       missing toolchain (no bundler).
+      Done 2026-06-12: jekyll build failures now fail the suite (bundler-
+      missing still skips); verified strict suite passes locally with real
+      builds.
     acceptance:
       - "A non-zero `jekyll build` exit fails the suite when bundler is available."
       - "The bundler-missing path still skips with a warning (local minimal environments)."
       - "Suite passes in CI and via `./test/test_runner.sh --suites site_generation` locally."
     links: { issue: null, pr: null, roadmap: "1.13" }
     created: 2026-06-10
-    updated: 2026-06-10
+    updated: 2026-06-12
 
   - id: T-017
     title: "Fix yamllint violations in .github/workflows/version-bump.yml"
-    status: open
+    status: done
     priority: P2
     area: lint
     risk: low
@@ -417,6 +443,9 @@ tasks:
       integration test (which runs yamllint) to fail in CI on every PR. Discovered
       while babysitting PR #141 — the file was unchanged by that PR, confirming
       the failures are pre-existing.
+      Done 2026-06-11: full cleanup (trailing spaces, brackets, sequence
+      indentation) landed with the T-009 PR; YAML verified semantically
+      identical and yamllint exits 0 with the repo config.
     acceptance:
       - "`yamllint -c .github/config/.yamllint.yml .github/workflows/version-bump.yml` exits 0."
       - "`./scripts/test/integration/auto-version` passes the 'version-bump workflow syntax' check."
@@ -425,3 +454,26 @@ tasks:
     created: 2026-06-11
     updated: 2026-06-11
 
+  - id: T-018
+    title: "Admin config page displays a stale copy of _config.yml — keep it in sync safely"
+    status: open
+    priority: P2
+    area: feat
+    risk: standard
+    effort: M
+    source: audit
+    summary: >-
+      `pages/_about/settings/config.md` renders `pages/_about/settings/_config.yml`
+      via `include_relative` (Liquid cannot reach the repo root), and that copy
+      has drifted from the live `_config.yml` (it predates, e.g., the PostHog
+      analytics block). Found while implementing T-009. Caution: a naive
+      refresh would inject the live `phc_` api_key into the *visible* Raw-YAML
+      tab — any sync mechanism must sanitize the visible tab the same way
+      T-009 sanitizes the hidden copy element, or redact at sync time.
+    acceptance:
+      - "The config shown at /about/config/ matches the live `_config.yml` (automated sync step or build-time check that fails on drift)."
+      - "The visible Raw-YAML tab applies the same sensitive-line redaction as the hidden `cfg-full-yaml` element."
+      - "`test/visual/security.spec.js` raw-tab test passes without its silent skip path (locator matches the actual `code#cfg-raw-yaml` element)."
+    links: { issue: null, pr: null, roadmap: "1.13" }
+    created: 2026-06-11
+    updated: 2026-06-11

data/_data/roadmap.yml

@@ -60,7 +60,7 @@
 meta:
   title: "zer0-mistakes Roadmap"
   tagline: "Past releases, current focus, and future plans for the zer0-mistakes Jekyll theme."
-  updated: 2026-06-10
+  updated: 2026-06-12
 
 milestones:
   # --- Completed -------------------------------------------------------------
@@ -313,38 +313,50 @@ milestones:
       - "`/repo-audit` and `/backlog-implement` agent routines"
       - "Documentation maintenance system and consolidation"
 
-  # --- Current ---------------------------------------------------------------
-
   - version: "1.12"
     title: "Headless Endpoints"
-    status: active
-    section: Current
+    status: completed
+    section: Completed
     start: 2026-06
     end: 2026-06
-    target: "Current (1.12.x)"
+    released: 2026-06-03
     summary: "Machine-readable site endpoints for downstream sites and AI agents."
     features:
       - "Auto-generated `/search.json` endpoint for downstream sites"
       - "Auto-generated `/sitemap/` endpoint"
       - "Ruby gem and Mermaid dependency updates"
 
-  # --- Future ----------------------------------------------------------------
-
   - version: "1.13"
+    title: "Quality Framework — First Wave"
+    status: completed
+    section: Completed
+    start: 2026-06
+    end: 2026-06
+    released: 2026-06-11
+    summary: "First shipped wave of the Zer0-Mistake Quality Framework: CI gate parity and DOM sanitization."
+    features:
+      - "CI gate parity (T-012) — PRs run the full canonical test entrypoint, not a subset"
+      - "Admin config-page DOM sanitization (T-009), Liquid + plugin layers"
+      - "Release changelog single source of truth; workflow lint cleanup (T-017)"
+      - "Gate-coverage controls contract documented in the workflows README"
+
+  # --- Current ---------------------------------------------------------------
+
+  - version: "1.14"
     title: "Zer0-Mistake Quality Framework"
-    status: planned
-    section: Future
+    status: active
+    section: Current
     start: 2026-06
     end: 2026-08
-    target: "Q3 2026"
+    target: "Current (1.14.x)"
     summary: "Close the gap between the repo's quality gates and what CI actually enforces — no mistake lands green."
     features:
-      - "CI gate parity — PRs run the full canonical test entrypoint (lib unit, theme, integration, installer e2e), not a subset"
-      - "Re-armed pixel-snapshot gate (refreshed baselines, no `continue-on-error`)"
-      - "Re-armed docs link-check gate (clean baseline, no warn-only `|| true`)"
-      - "Locale-independence regression guard for the Ruby/Bash tooling"
-      - "Coverage baseline with follow-up tasks for the lowest-covered subsystems"
-      - "Documented required status checks per branch (the 'controls' contract)"
+      - "Re-armed docs lint gate on a zero-violation baseline (T-014)"
+      - "Locale-independence regression guard for the Ruby/Bash tooling (T-015)"
+      - "Strict site_generation suite — build failures fail the gate (T-016)"
+      - "Re-armed pixel-snapshot gate (refreshed baselines, no continue-on-error) (T-013)"
+      - "Coverage baseline with follow-up tasks for the lowest-covered subsystems (T-005)"
+      - "Navbar WCAG 2.1 AA fixes unlocking the axe-core full audit (T-007)"
 
   - version: "2.0"
     title: "CMS Integration"

data/_includes/components/js-cdn.html

@@ -32,6 +32,9 @@
 <!-- Search modal controller -->
 <script src="{{ '/assets/js/search-modal.js' | relative_url }}"></script>
 
+<!-- Share helpers -->
+<script src="{{ '/assets/js/share-actions.js' | relative_url }}"></script>
+
 <!-- fffuel-style background customizer (skin switching, toggle, opacity) -->
 <script src="{{ '/assets/js/background-customizer.js' | relative_url }}"></script>
 

data/_includes/content/intro.html

@@ -46,6 +46,9 @@
 {% assign file_path = page_dir | append: "/" | append: page.path %}
 {% assign repo_parts = site.repository | split: "/" %}
 {% assign repo_owner = repo_parts[0] %}
+{% assign page_absolute_url = page.url | absolute_url %}
+{% assign linkedin_share_title = page.title | default: site.title | strip_html | strip_newlines | strip %}
+{% assign linkedin_share_description = page.description | default: page.excerpt | default: site.description | strip_html | strip_newlines | strip %}
 
 {% comment %}
   Resolve author display name and optional profile URL from page front matter,
@@ -233,12 +236,19 @@
       </button>
       <ul class="dropdown-menu dropdown-menu-end" aria-labelledby="shareDropdownBottom">
         <li>
-          <a class="dropdown-item" href="https://reddit.com/submit?url={{ site.url | append: page.url | url_encode }}&amp;title={{ page.title | url_encode }}" target="_blank">
+          <a class="dropdown-item" href="https://reddit.com/submit?url={{ page_absolute_url | uri_escape }}&amp;title={{ page.title | uri_escape }}" target="_blank" rel="noopener noreferrer">
             <i class="bi bi-reddit me-2"></i>Share on Reddit
           </a>
         </li>
         <li>
-          <a class="dropdown-item" href="https://www.linkedin.com/sharing/share-offsite/?url={{ site.url | append: page.url | url_encode }}" target="_blank">
+          <a class="dropdown-item js-linkedin-share"
+             href="https://www.linkedin.com/sharing/share-offsite/?url={{ page_absolute_url | uri_escape }}"
+             target="_blank"
+             rel="noopener noreferrer"
+             title="Copies a cleaned article summary to your clipboard, then opens LinkedIn sharing"
+             data-share-url="{{ page_absolute_url | escape }}"
+             data-share-title="{{ linkedin_share_title | escape }}"
+             data-share-description="{{ linkedin_share_description | escape }}">
             <i class="bi bi-linkedin me-2"></i>Share on LinkedIn
           </a>
         </li>
@@ -332,4 +342,4 @@
       </div>
     </div>
   </div>
-</div>
+</div>

data/_layouts/note.html

@@ -1,6 +1,9 @@
 ---
 layout: default
 ---
+{% assign page_absolute_url = page.url | absolute_url %}
+{% assign linkedin_share_title = page.title | default: site.title | strip_html | strip_newlines | strip %}
+{% assign linkedin_share_description = page.description | default: page.excerpt | default: site.description | strip_html | strip_newlines | strip %}
 <!--
   ===================================================================
   NOTE LAYOUT - Quick Notes and Reference Display
@@ -153,11 +156,17 @@ layout: default
              class="btn btn-outline-primary btn-sm" target="_blank" rel="noopener noreferrer" aria-label="Share on X">
             <i class="bi bi-twitter-x"></i> X
           </a>
-          <a href="https://www.linkedin.com/sharing/share-offsite/?url={{ site.url | append: page.url | uri_escape }}" 
-             class="btn btn-outline-primary btn-sm" target="_blank" rel="noopener noreferrer">
+          <a href="https://www.linkedin.com/sharing/share-offsite/?url={{ page_absolute_url | uri_escape }}"
+             class="btn btn-outline-primary btn-sm js-linkedin-share"
+             data-share-url="{{ page_absolute_url | escape }}"
+             data-share-title="{{ linkedin_share_title | escape }}"
+             data-share-description="{{ linkedin_share_description | escape }}"
+             title="Copies a cleaned article summary to your clipboard, then opens LinkedIn sharing"
+             target="_blank" rel="noopener noreferrer">
             <i class="bi bi-linkedin"></i> LinkedIn
           </a>
-          <a href="mailto:?subject={{ page.title | uri_escape }}&body={{ site.url | append: page.url | uri_escape }}" 
+          <a href="mailto:?subject={{ page.title | uri_escape }}&body={{ page_absolute_url | uri_escape }}"
+             title="Share this note by email"
              class="btn btn-outline-primary btn-sm">
             <i class="bi bi-envelope"></i> Email
           </a>

data/assets/js/palette-generator.js

@@ -381,7 +381,7 @@ document.addEventListener('DOMContentLoaded', function () {
     ['--bs-border-radius', '--bs-border-width', '--bs-body-font-size', '--bs-body-font-weight', '--bs-body-line-height'].forEach(function (v) {
       if (state.liveOverrides[v]) {
         var key = v.replace('--bs-', '').replace(/-/g, '_');
-        lines.push('# ' + key + ': ' + state.liveOverrides[v]);
+        lines.push('# ' + key + ': "' + state.liveOverrides[v] + '"');
       }
     });
 

data/assets/js/share-actions.js

@@ -0,0 +1,156 @@
+(function () {
+  'use strict';
+
+  function normalizeWhitespace(text) {
+    return (text || '').replace(/\s+/g, ' ').trim();
+  }
+
+  function dedupeSections(sections) {
+    return sections.filter((section, index) => {
+      if (!section) return false;
+      const normalized = section.toLowerCase();
+      return !sections.slice(0, index).some((previous) => previous && previous.toLowerCase() === normalized);
+    });
+  }
+
+  function truncateToSentence(text, maxLength) {
+    if (text.length <= maxLength) return text;
+
+    const trimmed = text.slice(0, maxLength);
+    const sentenceBreak = Math.max(
+      trimmed.lastIndexOf('. '),
+      trimmed.lastIndexOf('! '),
+      trimmed.lastIndexOf('? ')
+    );
+
+    if (sentenceBreak > Math.floor(maxLength * 0.6)) {
+      return trimmed.slice(0, sentenceBreak + 1).trim();
+    }
+
+    const lastSpace = trimmed.lastIndexOf(' ');
+    const endIndex = lastSpace > 0 ? lastSpace : maxLength;
+    return `${trimmed.slice(0, endIndex).trim()}…`;
+  }
+
+  function getShareContentRoot() {
+    return document.querySelector('[itemprop="articleBody"]')
+      || document.querySelector('.bd-content')
+      || document.querySelector('main')
+      || document.body;
+  }
+
+  function extractCleanExcerpt(description) {
+    const contentRoot = getShareContentRoot();
+    const normalizedDescription = normalizeWhitespace(description).toLowerCase();
+    const paragraphTexts = Array.from(contentRoot.querySelectorAll('p'))
+      .map((paragraph) => normalizeWhitespace(paragraph.textContent))
+      .filter((paragraph) => paragraph.length > 40)
+      .filter((paragraph) => {
+        const normalizedParagraph = paragraph.toLowerCase();
+        return !normalizedDescription
+          || (normalizedParagraph !== normalizedDescription && !normalizedParagraph.includes(normalizedDescription));
+      });
+
+    const combinedParagraphs = paragraphTexts.slice(0, 4).join(' ');
+    const fallbackText = normalizeWhitespace(contentRoot.textContent);
+    const candidateText = combinedParagraphs || fallbackText;
+
+    return truncateToSentence(candidateText, 420);
+  }
+
+  function buildLinkedInShareText(anchor) {
+    const title = normalizeWhitespace(anchor.dataset.shareTitle || document.title);
+    const description = normalizeWhitespace(
+      anchor.dataset.shareDescription
+      || document.querySelector('meta[name="description"]')?.getAttribute('content')
+      || ''
+    );
+    const excerpt = extractCleanExcerpt(description);
+    const url = normalizeWhitespace(anchor.dataset.shareUrl || window.location.href);
+
+    return dedupeSections([title, description, excerpt, url]).join('\n\n');
+  }
+
+  async function copyShareText(text) {
+    if (!navigator.clipboard || typeof navigator.clipboard.writeText !== 'function') {
+      return false;
+    }
+
+    try {
+      await navigator.clipboard.writeText(text);
+      return true;
+    } catch (error) {
+      console.warn('LinkedIn share copy failed:', error);
+      return false;
+    }
+  }
+
+  function openShareWindow(href) {
+    return window.open(href || 'about:blank', '_blank', 'noopener,noreferrer');
+  }
+
+  function notify(message, type) {
+    const notification = document.createElement('div');
+    notification.className = `alert alert-${type || 'info'} shadow position-fixed top-0 end-0 m-3`;
+    notification.style.zIndex = '1085';
+    notification.setAttribute('role', 'status');
+    notification.textContent = message;
+    document.body.appendChild(notification);
+
+    window.setTimeout(() => {
+      notification.remove();
+    }, 4000);
+  }
+
+  function bindLinkedInShare(anchor) {
+    if (anchor.dataset.linkedinShareBound === 'true') return;
+
+    anchor.dataset.linkedinShareBound = 'true';
+    anchor.addEventListener('click', async function (event) {
+      event.preventDefault();
+
+      const shareWindow = openShareWindow('', '_blank');
+
+      const shareText = buildLinkedInShareText(anchor);
+      const copied = await copyShareText(shareText);
+
+      if (shareWindow) {
+        shareWindow.location = anchor.href;
+      } else {
+        window.location.assign(anchor.href);
+      }
+
+      if (copied) {
+        notify('A cleaned LinkedIn-ready summary was copied to your clipboard. Paste it on LinkedIn after the share page opens.', 'info');
+      } else {
+        notify('LinkedIn opened, but clipboard access was unavailable. Copy the summary manually if needed.', 'warning');
+      }
+    });
+  }
+
+  function bindCopyButton(button) {
+    if (button.dataset.copyBound === 'true') return;
+
+    button.dataset.copyBound = 'true';
+    button.addEventListener('click', async function () {
+      const copied = await copyShareText(button.dataset.copyText || '');
+
+      if (copied) {
+        notify(button.dataset.copySuccess || 'Copied to clipboard.', 'success');
+      } else {
+        notify('Clipboard access was unavailable.', 'warning');
+      }
+    });
+  }
+
+  function initLinkedInShareButtons() {
+    document.querySelectorAll('.js-linkedin-share').forEach(bindLinkedInShare);
+    document.querySelectorAll('.js-copy-share-link').forEach(bindCopyButton);
+  }
+
+  if (document.readyState === 'loading') {
+    document.addEventListener('DOMContentLoaded', initLinkedInShareButtons);
+  } else {
+    initLinkedInShareButtons();
+  }
+})();

data/assets/js/theme-customizer.js

@@ -121,7 +121,9 @@ document.addEventListener('DOMContentLoaded', function () {
     lines.push('');
     lines.push('theme_color:');
     document.querySelectorAll('[data-color-key]').forEach(function (el) {
-      lines.push('  ' + el.dataset.colorKey + ': ' + el.value);
+      // Quote values: unquoted #RRGGBB is parsed as a YAML comment,
+      // silently dropping the color (T-008).
+      lines.push('  ' + el.dataset.colorKey + ': "' + el.value + '"');
     });
     var output = document.getElementById('theme-yaml-output');
     if (output) output.textContent = lines.join('\n');

data/scripts/bin/validate

@@ -402,6 +402,7 @@ classified_files = %w[
     _config_dev.yml
     _config_secrets_local.yml
     pages/_about/settings/_config.yml
+    .github/ISSUE_TEMPLATE/config.yml
 ]
 classified_files.concat(Dir.glob('_data/**/*config*.{yml,yaml}'))
 

data/scripts/test/lib/run_tests.sh

@@ -127,6 +127,7 @@ main() {
     source "$TEST_DIR/test_changelog.sh"
     source "$TEST_DIR/test_gem.sh"
     source "$TEST_DIR/test_analyze_commits.sh"
+    source "$TEST_DIR/test_locale_independence.sh"
     
     # Summary
     echo -e "\n${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"

data/scripts/test/lib/test_locale_independence.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Locale-independence regression guard (T-015)
+#
+# PR #132 fixed `invalid byte sequence in US-ASCII` crashes in the Ruby
+# tooling that only reproduced when no UTF-8 locale was set (minimal
+# containers, some CI runners). These tests run the validators under
+# LC_ALL=C LANG=C so the bug class cannot silently return: the repo files
+# they read (README.md, _data/*.yml, package.json) contain multibyte
+# characters, so any locale-dependent File.read regresses to a crash here.
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
+
+echo "Testing locale independence (LC_ALL=C LANG=C)..."
+
+assert_true "(cd '$REPO_ROOT' && LC_ALL=C LANG=C ruby scripts/generate-roadmap.rb --check >/dev/null 2>&1)" \
+    "generate-roadmap.rb --check survives a C locale"
+
+assert_true "(cd '$REPO_ROOT' && LC_ALL=C LANG=C ruby scripts/generate-roadmap.rb --validate >/dev/null 2>&1)" \
+    "generate-roadmap.rb --validate survives a C locale"
+
+assert_true "(cd '$REPO_ROOT' && LC_ALL=C LANG=C ruby scripts/sync-backlog.rb --check >/dev/null 2>&1)" \
+    "sync-backlog.rb --check survives a C locale"
+
+# validate --quick covers the package.json read in scripts/bin/validate
+assert_true "(cd '$REPO_ROOT' && LC_ALL=C LANG=C ./scripts/bin/validate --quick >/dev/null 2>&1)" \
+    "validate --quick survives a C locale"
+
+echo -e "\n${GREEN}locale-independence tests complete${NC}"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-theme-zer0
 version: !ruby/object:Gem::Version
-  version: 1.13.1
+  version: 1.15.0
 platform: ruby
 authors:
 - Amr Abdel
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-11 00:00:00.000000000 Z
+date: 2026-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -306,6 +306,7 @@ files:
 - assets/js/posts-pagination.js
 - assets/js/search-modal.js
 - assets/js/setup-wizard.js
+- assets/js/share-actions.js
 - assets/js/side-bar-folders.js
 - assets/js/skin-editor.js
 - assets/js/stats.js
@@ -482,6 +483,7 @@ files:
 - scripts/test/lib/test_changelog.sh
 - scripts/test/lib/test_gem.sh
 - scripts/test/lib/test_git.sh
+- scripts/test/lib/test_locale_independence.sh
 - scripts/test/lib/test_validation.sh
 - scripts/test/lib/test_version.sh
 - scripts/test/theme/validate
@@ -509,7 +511,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="